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In 2008, the U.S. Department of Defense suffered a significant 
compromise of its classified military computer networks. It began 
when an infected flash drive was inserted into a U.S. military laptop 
at a base in the Middle East..The flash drive’s malicious computer 
code, placed there by a foreign intelligence agency, uploaded itself 
onto a network run by the U.S. Central Command. That code spread 
undetected on both classified and unclassified systems, establishing 
what amounted to a digital beachhead, from which data could be 
transferred to servers under foreign control. It was a network admin¬ 
istrator’s worst fear: a rogue program operating silently, poised to 
deliver operational, plans in to the hands of an unknown adversary. 

This previously classified incident was the most significant breach 
of U.S. military computers ever, and it served as an important wake- 
up call. The Pentagon’s operation to counter the attack, known as 
Operation Buckshot Yankee, marked a turning point in U.S. cyber¬ 
defense strategy. 

Over the past ten years, the frequency and sophistication of in¬ 
trusions into U.S. military networks have increased exponentially. 
Every day, U.S. military and civilian networks are probed thousands 
of times and scanned millions of times. And the 2008 intrusion that led 
to Operation Buckshot Yankee was not the only successful penetration. 
Adversaries have acquired thousands of files from U.S. networks and 
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from the networks of U.S. allies and industry partners, including’weapons 
blueprints, operational plans, and surveillance data. 

As the scale of cyberwarfares threat to U.S. national security and 
the U.S . economy has come into view, the Pentagon has built layered 
and robust defenses around military networks and inaugurated the 
new U.S. Cyber Command to integrate cyberdefense onerations 
across the military. The Pentagon is now working with the Department 
of Homeland Security to protect government networks and critical 
infrastructure and with the United States’ closest allies to expand these 
defenses internationally. An enormous amou nt of foundational work 
remains, but the U.S. government has begun putting in place various 
initiatives to defend the United States in the digital age. 


TI-IE THREAT ENVIRONMENT 

Information technology enables almost everything the U.S. 
military does: logistical support and global command and control of 
forces, real-time provision of intelligence, and remote operations. Every 
one of these functions depends heavily on the military’s global com¬ 
munications backbone, which consists of 15,000 networks and seven 
million computing devices across hundreds of installations in dozens 
of countries. More than 90,000 people work full time to maintain it. 
In less than a generation, information technology in the military has 
evolved from an administrative tool for enhancing office productivity 
into a national strategic asset in its own right. The U.S. government’s 
digital infrastructure now gives the United States critical advantages 
over any adversary, but its reliance on computer networks also potentially 
enables adversaries to gain valuable intelligence about U.S. capabilities 
and operations, to impede the United States’ conventional military 
forces, and to disrupt the U.S. economy. In developing a strategy 
to counter these dangers, the Pentagon is focusing on a few central 
attributes of the cyberthreat. 

First, cyberwarfare is asymmetric. The low cost of computing devices 
means that U.S. adversaries do not have to build expensive weapons, 
such as stealth fighters or aircraft carriers, to pose a significant threat to 
U.S. military capabilities. A dozen determined computer programmers 
can, if they find a vulnerability to exploit, threaten the United States’ 
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global logistics network, steal its operational plans, blind its intelligence 
capabilities, or hinder its ability to deliver weapons on target. Knowing 
this, many militaries are developing offensive capabilities in cyberspace, 
and more than 100 Foreign intelligence organizations are trying to 
break into U.S. networks. Some governments already have the capacity 
to disrupt elements of the U.S. information infrastructure. 

In cyberspace, the offense has the upper hand. The Internet was 
designed to be collaborative and rapidly expandable and to have low 
barriers to technological innovation; security and identity management. 
were lower priorities. For these structural reasons, the U.S. governments 
ability' to defend its networks always lags _ 

behind its adversaries’ ability to exploit U.S. <3olcl War deterrence 
networks’ weaknesses. Adept programmers 

will find'vulnerabilities and overcome security models do not apply to 
measures put in place to prevent intrusions. In cyberspace, where it is 
an offense-dominant environment, a fortress ' ,. , r . , . . . „ 

mentality will not work. The United States 80 d,ftcult t0 ldenaf y an 
cannot retreat behind a Maginot Line of fire- attack’s perpetrator, 
walls or it will risk being overrun. Cyber¬ 
warfare is like maneuver warfare, in that speed and agility matter 
most. To stay ahead, of its pursuers, the United States must con¬ 
stantly adjust and improve its defenses. 

It must also recognize that traditional Cold War deterrence models 
of assured retaliation do not apply to cyberspace, where it is difficult 
and time consuming to identify an attack’s perpetrator. Whereas a 
missile comes with a return address, a computer virus generally does 
not. The forensic rvork necessary to identify an attacker may take 
months, if identification is possible at all. And even when the attacker 
is iden tified, if it is a nonstate actor, such as a terrorist group, it may 
have no assets against which the United States can retaliate. Further¬ 
more, what constitutes an attack is not always clear. In fact, many of 
today’s intrusions arc closer to espionage than to acts of war. The 
deterrence equation is further muddled by the fact that cyberattacks 
often originate from co-opted servers in neutral countries and that 
responses to them could have unintended consequences. 

■ Given these circumstances, deterrence will, necessarily be based more 
on denying any benefit to attackers than on Imposing costs through 
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retaliation. The challenge is to make the defenses effective enough to 
deny an adversary the benefit of an attack despite the strength of 
offensive tools in cyberspace. (Traditional arms control regimes would 
likely fail to deter cyberattacks because of the challenges of attribution, 
which make verification of compliance almost impossible. If there are to 
be international norms of behavior in cyberspace, they may have to follow 
a different model, such as that of public health or law enforcement.) 

Cyberthreats to U.S. national security are not limited to military 
targets. Hackers and foreign governments are increasingly able to 
launch sophisticated intrusions into the networks that control critical 

civilian infrastructure. Computer-induced 
failures of U.S. power grids, transportation 
networks, or financial systems could cause 
massive physical damage and economic dis¬ 
ruption. Such infrastructure is also essential 
to the military, both abroad and at home: 
coordinating the deployment and resupply of 
U.S. troops and equipping troops with goods 
from private vendors necessarily requires using 
unclassified networks that are linked to the open Internet. Protecting 
those networks and the networks that undergird critical. U.S. infrastruc¬ 
ture must be part of Washington’s national security and homeland 
defense missions. 

Modern information technolog}' also increases the risk of industrial 
espionage and the theft of commercial information. Earlier this year, 
Google disclosed that it had lost intellectual property as a result of a 
sophisticated operation perpetrated against its corporate infrastructure, 
an operation that also targeted dozens of other companies. Although the 
threat to intellectual property is less dramatic than the threat to critical, 
national infrastructure, it may be the most significant cyberthreat that 
the United States will face over the long term. Every year, an amount of 
intellectual property many times larger than all the intellectual property 
contained in the Library of Congress is stolen from networks maintained 
by U.S. businesses, universities, and government agencies. As military 
strength ultimately depends on economic vitality, sustained intellectual 
property losses could erode both the United States’ military effectiveness 
and its competitiveness in the global economy. 


The cyberthreat posed 
to intellectual property 
may prove to be the 
most significant one 
facing Washington. 
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Computer networks themselves are not the only vulnerability. 
Software and hardware are at risk of being tampered with even before 
they are linked together in an operational system. Rogue code, includ¬ 
ing so-called logic bombs, which cause sudden malfunctions, can 
be inserted into software as it is being developed. As for hardware, 
remotely operated “kill switches” and hidden “backdoors” can be 
written into the computer chips used by the military, allowing outside 
actors to manipulate the systems from afar. The risk of compromise 
in the manufacturing process is very real and is perhaps the least 
understood cyberthreat. Tampering is almost impossible to detect 
and even harder to eradicate. Already, counterfeit hardware has been 
detected in systems that the Defense Department has procured. The 
Pentagon’s Trusted Foundries Progam, which certifies parts produced 
by microelectronics manufacturers, is a good start, but it is not a 
comprehensive solution to the risks to the department’s technological 
base. Microsoft and other computer technology companies have 
developed sophisticated risk-mitigation strategies to detect malicious 
code and deter its insertion into their global supply chains; the U.S. 
government needs to undertake a similar effort for critical civilian and 
military applications. 

The United States rarely predicts accurately when, and where military 
conflicts will occur. Predicting cyberattacks is also proving difficult, 
especially since both state and nonstate actors pose threats. More 
important, given that information technology is evolving rapidly, 
policymakers are left with little historical precedent to inform their 
expectations. Thus, the U.S. government must be modest about its 
ability to know where and how this threat might mature; what it 
needs is a strategy that provides operational flexibility and capabilities 
that offer maximum adaptability. 

NEW STRATEGY 

As A doctrinal matter, the Pentagon has formally recognized 
cyberspace as a new domain of warfare. Although cyberspace is a 
man-made domain, it has become just as critical to military operations 
as land, sea, air, and space. As such, the military must be able to defend 
and operate within it. To facilitate operations in cyberspace, the Defense 
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Department needs an appropriate organizational structure. For the 
past several years, the military’s cyberdefense effort was run by a loose 
confederation of joint task forces dispersed both geographically and 
institutionally. In June 2009, recognizing that the scale of the effort 
to protect cyberspace had outgrown the military’s existing structures, 
Defense Secretary Robert Gates ordered the consolidation of the task 
forces into a single four-star command, the U.S. Cyber Command, 
which began operations in May 2010 as part of the U.S. Strategic 
Command. Cyber Command is slated to become fully operational 
by October. 

Cyber Command has three missions. First, it leads the day-to-day 
protection of all defense networks and supports military and counter¬ 
terrorism missions with operations in cyberspace. Second, it provides a 

_ clear and accountable way to marshal cyber- 

The new U.S. Cyber warfare resources from across the military. 

' A single chain of command inns from the 

Command Will be fully U.S. president to the secretary of defense to 

operational by October, die commander of Strategic Command to the 

commander of Cyber Command and on to 
individual military units around the world.To ensure that considerations 
of cybersecurity are a regular part of training and equipping soldiers, 
Cyber Command oversees commands within each branch of the military, 
including the Army Forces Cyber Command, the U.S. Navy’s Tenth 
Meet, the 24th Air Force, and the Marine Corps Forces Cyberspace 
Command. Because military networks are not impervious to attack, a 
critical part of the training missi on is to ensure that all opera tional forces 
are able to function in a degraded information environment. 

Cyber Command’s third mission is to work with a variety of partners 
inside and outside the U.S. government. Representatives from the 
FBI, the Department of Homeland Security, the Justice Department, 
and the Defense Information Systems Agency work on-site at Cyber 
Command’s Fort Meade headquarters, as do liaison officers from the 
intelligence community and from allied governments. In partnership 
with the Department of Homeland Security, Cyber Command also 
works closely with private industry to share information about threats 
and to address shared vulnerabilities. Information networks connect 
a variety of institutions, so the effort to defend the United States will 
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only succeed if it is coordinated across the government, with allies, and 
with partners in the commercial sector. 

Given the dominance of offense in cyberspace, U.S. defenses need 
to be dynamic. Milliseconds can make a difference, so the U.S. military 
must respond to attacks as they happen or even before they arrive. To 
grapple with this, the Pentagon has deployed a system that includes 
three overlapping lines of defense. Two are based on commercial best 
practices—ordinary computer hygiene, which keeps security software 
and firewalls up to date, and sensors, which detect and map intrusions. 
The third line of protection leverages government intelligence capabil¬ 
ities to provide highly specialized active defenses. And the government 
is deploying all these defenses in a way that meets its obligation, to 
protect the civil liberties of U.S. citizens. 

The National Security Agency has pioneered systems that, using 
warnings provided by U.S. intelligence capabilities, automatically 
deploy defenses to counter intrusions in real time. Part sensor, part 
sentry, part sharpshooter, these active defense systems represent a 
fundamental shift in the U.S. approach to network defense. They 
work by placing scanning technology at the interface of military 
networks and the open Internet to detect and stop malicious code 
before it passes into military networks. Active defenses now protect 
all defense and intelligence networks in the “.mil” domain. 

Because some intrusions will inevitably evade detection and not 
he caught at the boundary, U.S. cyberdefenses must be able to find 
intruders once they are inside. This requires being able to hunt 
within the military’s own networks—a task that is also part of the 
Pentagon’s active defense capability. 

Active defense has been made possible by consolidating the Defense 
Department’s collective cyberdefense capabilities under a single roof 
and by linking them with tire signals in telligence needed to anticipate 
intrusions and attacks. Establishing this linkage was one of the most 
important reasons for the creation of Cyber Command. 

The speed at which active defense systems must act means that the- 
rules of engagement governing network defense must be set largely 
in advance. Devising these protocols is not easy. Indeed, the effort 
to define clear rules of engagement for responding to cyberattacks 
has been exceedingly difficult, and for good reason. These rules of 
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engagement will first have to assist in distinguishing between the 
exploits of a mere hacker, criminal, activity (such as fraud or theft), 
espionage, and an attack on the United States. They will then have to 
determine what action is necessary, appropriate, proportional, and 
justified in each particular case based on the laws that govern action 
in times of war and peace. 

The best-laid plans for defending military networks will matter little 
if civilian infrastructure—which could be directly targeted in a military 
-!_ conflict or held hostage and used as a bargain- 

Cri tieal i infrastructure 
could be targeted 
directly in a conflict or 
be held hostage as a 
bargaining chip against 
the U.S. government. 

but the Pentagon must leverage its ten years of concerted investment in 
cyberdefense to support broader efforts to protect critical infrastructure. 

The U.S. government has only just begun to broach the larger question 
of whether it is necessary and appropriate to use national resources, 
such as the defenses that now guard military networks, to protect civilian 
infrastructure. Policymakers need to consider, among other tilings, 
applying the National Security Agency’s defense capabilities beyond 
the “.gov” domain, such as to domains that undergird the commercial 
defense industry. U.S. defense contractors have already been targeted 
for intrusion, and sensitive weapons systems have been compromised. 
The Pentagon is therefore working with the Department of Homeland 
Security and die private sector to look for innovative ways to use the 
military’s cyberdefense capabilities to protect the defense industry. 

Given the global nature of the Internet, U.S. allies also play a critical 
role in cyberdefense. Th e more signatures of an attack one can see, and 
the more intrusions one can trace, the better one’s defenses will be. In 
this way, the construct of shared warning—a core Cold War doctrine— 
applies to cyberspace. Just as the United States’ air and space defenses 
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ing chip against the U.S. government—is 
not secure.The Defense Department depends 
on the overall information technology infra¬ 
structure of the United States. For example, it 
relies on many outside networks in the “.gov” 
and “.com” domains, including those run by 
defense contractors that are not protected as 
effectively as the military’s own network. The 
Department of Homeland Security has the lead 
in protecting the “.gov” and “.com” domains, 
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are linked with those of allies to provide warning of an attack from the 
sky, so, too, can the United States and its allies cooperatively monitor 
computer networks for intrusions. 

Some of the United States’ computer defenses are already linked 
with those of U.S. allies, especially through existing signals intelli¬ 
gence partnerships, but greater levels of cooperation are needed to stay 
ahead of the cyberthreat. Stronger agreements to facilitate the sharing 
of information, technology, and intelligence must be made with a greater 
number of allies. The report NATO 2020 , a NATO-commissioned 
study chaired by former U.S. Secretary of State Madeleine Albright, 
rightly identified the need for the alliance’s new “strategic concept” to 
further incorporate cyberdefense. The U.S. government must ensure 
that NATO moves more resources to cyberdefense so the member states 
can defend networks integral to the alliance’s operations. 


LEVERAGING DOMINANCE 

The United States enjoys unparalleled technological resources, 
and it can marshal its advantages to create superior military capabilities 
in cyberspace. The Pentagon has already begun to explore how major 
companies can help the public sector address the cyberthreat.Through 
a public-private partnership called the Enduring Security Framework, 
the chief executive officers and chief technology officers of major 
information technology and defense companies now meet regularly 
with top officials from the. Department of Homeland Security, the 
Office of the Director of National Intelligence, and the Department 
of Defense. 

The U.S. government’s research and development institutions 
have also turned their attention to cybersecurity. One of the more 
important innovations to emerge is the National Cyber Range 
program, developed by the Defense Advanced Research Projects 
Agency (darpa). Although the U.S. military routinely exercises 
units on target ranges and in a variety of simulations, the Pentagon 
has had no such capability when it comes to cyberwarfare. This 
is why darpa, which helped invent the Internet decades ago, is 
developing the National Cyber Range—in effect, a model of the 
Internet—which will allow the military to test its cyberdefense 
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capabilities before fielding them. Simulations are also relevant to 
understanding malicious software designed to infiltrate computer 
systems. The Department of Energy’s national laboratories have 
developed computer farms that, function as digital petri dishes, 
capturing live viruses from the Internet and observing how they spread. 
These training and diagnostic capabilities can help the United States 
stay ahead of its adversaries’ innovative cyberweapons. 

Darpa is pursuing even more fundamental research that may 
improve the governments ability to attribute attacks and blunt intruders’ 
capabilities, thereby making cyberspace a less offense-dominant envi¬ 
ronment. The agency is also challenging the scientific community to 
rethink the basic design of the Pentagon’s network architecture so that 
the military could redesign or retrofit hardware, operating systems, 
and computer languages with cybersecurity in mind. Complex infor¬ 
mation technology infrastructure will not change overnight, but over 
the course of a generation, the United States has a real opportunity to 
engineer its way out of some of the most problematic vulnerabilities 
of today’s technology. 

The government must also strengthen its human capital. The 
Pentagon has increased the number of its trained cybersecurity 
professionals and deepened their training. This includes a formal 
certification program that is graduating three times as many cyber¬ 
security professionals annually as a few years.ago. Following industry 
practices, the Pentagon’s network administrators are now trained in 
“ethical hacking,” which involves employing adversarial techniques 
against the United States’ own systems in order to identify weaknesses 
before they are exploited by an enemy. 

Even as the U.S. government strengthens its cadre of cyber¬ 
security professionals, it must recognize that long-term trends in human 
capital do not bode well. The United States has only 4.5 percent of 
the world’s population, and over the next 20 years, many countries, 
including China and. India, will train more highly proficient computer 
scientists than will the United States. The United States will lose 
its advantage in cyberspace if that advantage is predicated on simply 
amassing trained cybersecurity professionals. The U.S. govern¬ 
ment, therefore, must confront the cyberdefense challenge as it 
confronts other m ili tary challenges: with a focus not on numbers but 
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on superior technology arid productivity. High-speed sensors, advanced 
analytics, and automated systems will be needed to buttress the 
trained cybersecurity professionals in the U.S. military. And such 
tools will be available only if the U.S. commercial information 
technology sector remains the world’s leader—something that will 
require continuing investments in science, technology, and education 
at all levels. 

Making use of the private sector’s innovative capacity will also 
require dramatic improvements in the government’s procedures for 
acquiring information technology. On average, it takes the Pentagon 
81 months to make a new computer system operational after it is first 
funded. Taking into the account the growth of computing power 
suggested by Moore’s law, this means that by the time systems are 
delivered, they are already at least four gen¬ 
erations behind the state of the art. By 
comparison, the iPhone was developed in 
24 months. That is less time than it would 
take the Pentagon to prepare a budget and 
receive congressional approval for it. 

To replicate the dynamism of private 
industry, the Pentagon is developing a specific 
acquisition track for information technology. 

It is based on four principles. First, speed 
must be a critical, priority. The Pentagon’s 
acquisition process must match the technol¬ 
ogy development cycle. With information technology, this means 
cycles of 12 to 36 months, not seven or eight years. Second, the 
Pentagon must employ incremental development and testing rather 
than try to deploy large complex systems in one “big bang.”Third, the 
U.S. military must be willing to sacrifice or defer some customization 
in order to achieve speedy incremental improvements. Fourth, the 
Defense Department’s information technology needs—which range 
from modernizing nuclear com m and - an d- co ntrol systems to updating 
word-processing software—demand different levels of oversight. An 
approach to information technology acquisition that embodies these 
principles is essential to the U.S. military’s effectiveness when it 
comes to cyberdefense. 


It takes the Pentagon 
81 months to make a 
new computer system 
operational once it 
is first funded. The 
iPhone was developed 
in just 24 months. 
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ENTERING A NEW ERA 

Th k daunti ng challenges of cybersecurity represent the beginning 
of a new technological age. In this early hour, the United States’ great¬ 
est strength is its awareness of the transformation. Today’s predicament 
calls to mind an urgent letter written to President Franklin Roosevelt 
on the eve of another new technological era. Dated August 2,1939, it 
read in part, “Certain aspects of the situation which has arisen seem 
to call for watchfulness and, if necessary, quick action on the part of 
the Administration. I believe therefore that it is my duty to bring to 
your attention the following facts and recommendations.” The letter 
was signed, "Yours very truly, Albert Einstein.” Einsteins warning 
that breakthroughs in nuclear fission might make possible an atomic 
bomb led Roosevelt to launch the Manhattan Project, which helped 
prepare the United States for the atomic era. 

The cyberthreat does not involve the existential implications 
ushered in by the nuclear age, but there are important similarities. 
Cyberattacks offer a means for potential adversaries to overcome 
overwhelming U.S. advantages in conventional military power and 
to do so in ways that are instantaneous and exceedingly hard to trace. 
Such attacks may not cause the mass casualties of a nuclear strike, 
but they could paralyze U.S. society all the same. In the long run., 
hackers’ systematic penetration of U.S. universities and businesses 
could rob the United States of its intellectual property and compet¬ 
itive edge in the global economy. 

These risks are what is driving the Pentagon to forge a new 
strategy for cybersecurity. The principal elements of that strategy 
are to develop an organizational construct for training, equipping, 
and commanding cyberdefense forces; to employ layered protections 
with a strong core of active defenses; to use military capabilities to 
support other departments’ efforts to secure the networks that run 
the United States’ critical infrastructure; to build collective defenses 
with U.S. allies; and to invest in the rapid development of additional 
eyberdefense capabilities. The goal of this strategy is to make cyber¬ 
space safe so that its revolutionary innovations can enhance both the 
United States' national security and its economic security.® 


[108] 


FOREIGN AFFAIRS' Volume St) No. 5 



